If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

I've actually found that tcpdump to be very effective at picking and removing spoofed addresses. For a lab I spoofed some packets for a simple DoS in a classroom setting and when the students blocked the "spoofed" address, the actual source address appeared in the tcpdump packets (interestingly didn't appear in the Ethereal feed).

Hrmmmm... either the most recent or the one before that. I was using RH8 at the time. I'll try to do some empirical research in class next semester to see if I can a) fully replicate it (to ensure something else wasn't happening) and b) to see how it might have been happening.

There are ways to track spoofed addresses but you'll need access to every router (hop) the packet has traveled through. So forget about tracing spoofed packets originating from the Internet (unless your ISP is willing to help). Just firewall them and forget about it

Oliver's Law:
Experience is something you don't get until just after you need it.

Originally posted here by j3r Of course, the problem with "just firewall them" is that sometimes, you'll be blocking an address that is actually owned by someone you want to talk to. Just be careful, is all.

Not if you configure your firewall correctly.

An access-list or firewall policy should be configured to expect certain IP addresses from certain interfaces. For example, if your firewall gets a packet from it's external (Internet facing) interface with a source IP address of 10.x.x.x, then you can guarantee it is a spoofed packet and it should be dropped.

the type of spoofing you truly cannot prevent however is the type where the source IP address is changed for anonymity purposes, such as packets being generated from a packet generator such as hping or my personal favorite, rain.

While a do agree with MsMittens that the original IP address can be found from a sniffer trace in some cases, this a rarely the case with a "good" packet generator. Which is why I would agree more with SirDice's comments that there really is no good way to do it.

Mileage my vary but if you can 'telnet' into your router you can dump the routing table and connections. The web interface is pretty much setup for noobies. My phone company gets pissed when you use non-standard equipment. I wonder why